I need to find Intune enrolled iOS, Android, and macOS devices. I’ve come up with two ways of doing this. Both make use of Graph API, but query different things.
The first is to look at Entra ID itself. Every Intune enrolled device is also in Entra ID, but Entra ID contains non Intune enrolled devices too. So the trick is to just filter for Intune enrolled devices. This is done via the MdmAppId property. Specifically:
|
1 |
MdmAppId eq '0000000a-0000-0000-c000-000000000000' |
Thanks to this article on how to create dynamic Entra ID groups. There the property is
deviceManagementAppId, but you query that via Graph as MdmAppId.
Next, Android can be both Android device admin or Android personal with work profile (and others too, these are the two sort of devices I have in my environment so that’s all I am focussing on). Of these, I know we don’t have any “user” Android device admin devices – those are just Teams phones or Teams room devices, so I don’t care about that.
Looking at the OperatingSystem property in the output of Get-MgDevice I found the following:
|
1 2 3 4 5 6 7 8 9 10 |
$ (Get-MgDevice -All -Property OperatingSystem | Group-Object OperatingSystem).Name Android AndroidForWork iOS IPad IPhone MacMDM MacOS Printer Windows |
The ones I need are this AndroidForWork, IPad, IPhone, and MacMDM. So I can filter just these via:
|
1 |
Get-MgDevice -Filter "(OperatingSystem eq 'MacMDM' or OperatingSystem eq 'AndroidForWork' or OperatingSystem eq 'iPhone' or OperatingSystem eq 'iPad') and MdmAppId eq '0000000a-0000-0000-c000-000000000000'" |
Easy.
The second way is via Intune. Unfortunately, there the output of Get-MgDeviceManagementManagedDevice does not have anything to differeniate between Android device admin and Android personal with work profile. The beta version has it though, the DeviceType property.
|
1 |
Get-MgBetaDeviceManagementManagedDevice -Filter "DeviceType eq 'androidForWork' or DeviceType eq 'iPad' or DeviceType eq 'iPhone' or DeviceType eq 'macMDM'" |
In theory both should be the same, but the Intune one is more accurate. That’s because when you wipe or retire a device from Intune it doesn’t get removed from Entra ID. In my case I had a few extra in Entra ID that weren’t in Intune.
To find devices in Entra ID that are not in Intune I did the following and then removed the results.
|
1 2 3 4 5 |
$intuneDevices = (Get-MgBetaDeviceManagementManagedDevice -Filter "DeviceType eq 'androidForWork' or DeviceType eq 'iPad' or DeviceType eq 'iPhone' or DeviceType eq 'macMDM'").AzureActiveDirectoryDeviceId | Sort-Object $entraDevices = (Get-MgDevice -Filter "(OperatingSystem eq 'MacMDM' or OperatingSystem eq 'AndroidForWork' or OperatingSystem eq 'iPhone' or OperatingSystem eq 'iPad') and MdmAppId eq '0000000a-0000-0000-c000-000000000000'").DeviceId | Sort-Object Compare-Object $entraDevices $intuneDevices |
To automate things, I could have changed that last line to:
|
1 2 3 4 5 6 |
Compare-Object $entraDevices $intuneDevices | Where-Object { $_.SideIndicator -eq "<=" } | ForEach-Object { # Entra ID cmdlets need the Id property for the -DeviceId switch, so get that $deviceId = (Get-MgDevice -Filter "DeviceId eq '$($_.InputObject)'").Id Remove-MgDevice -DeviceId $deviceId } |
I haven’t checked it out, but it’s possible to set rules in Entra ID to automatically remove stale devices, thus avoiding a mismatch.